// Copyright (c) .NET Foundation. All rights reserved.
// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.

using System;
using System.Collections.Generic;
using System.ComponentModel.DataAnnotations;
using System.ComponentModel.DataAnnotations.Schema;

namespace NuGet.Services.Entities
{
    /// <summary>
    /// This entity defines which federated credentials can operate on behalf of a user. The policy is used to evaluate
    /// an incoming federated credential and define what actions can be taken on behalf of the user.
    /// </summary>
    public class FederatedCredentialPolicy : IEntity
    {
        /// <summary>
        /// The unique key for this federated credential policy. Generated by the database.
        /// </summary>
        public int Key { get; set; }

        /// <summary>
        /// When this entity was first created. The timestamp is in UTC.
        /// </summary>
        public DateTime Created { get; set; }

        /// <summary>
        /// When this policy was last evaluated against an external credential and it matched. The timestamp is in UTC.
        /// </summary>
        public DateTime? LastMatched { get; set; }

        /// <summary>
        /// A type enum to determine how the <see cref="Criteria"/> field should be interpreted.
        ///
        /// Think of this field as a category of federated credential, where a given type value is specific to a
        /// particular identity provider (e.g. Entra ID) and specific type of credential provided by that identity
        /// provider (e.g. OpenID Connect token for a service principal in the app-only flow).
        ///
        /// The type should be one of the values defined in <see cref="FederatedCredentialType"/>.
        ///
        /// This column name ends in "Key" to allow a future where this is normalized into its own table, much like
        /// <see cref="Package.PackageStatusKey"/> and <see cref="Package.SemVerLevelKey"/>.
        /// </summary>
        [Required]
        [Column("TypeKey")]
        public FederatedCredentialType Type { get; set; }

        /// <summary>
        /// A JSON object used to evaluate whether a token matches a user-provided pattern. Some criteria may be
        /// implied by the <see cref="System.Type"/> and may not be explicitly states in this field. Only criteria that varies
        /// from user to user or between individual cases should be expressed in this JSON object.
        ///
        /// The maximum length is defined by the application and has an unbounded length in the database.
        /// </summary>
        [Required]
        public string Criteria { get; set; }

        /// <summary>
        /// The key of the user that created this policy. If this policy was created by a site admin, this key will
        /// point to the user record that the site admin was acting on behalf of, not the site admin themselves.
        /// </summary>
        public int CreatedByUserKey { get; set; }

        /// <summary>
        /// The key of the owner user or owner organization that this policy will create API keys scoped for. This is
        /// the user or organization that the user referred to by <see cref="UserKey"/> is acting on behalf of. This
        /// value will be used in resulting short-lived API keys in the <see cref="Scope.OwnerKey"/> value.
        /// </summary>
        public int PackageOwnerUserKey { get; set; }

        /// <summary>
        /// The navigation property for the user that created the policy, defined by <see cref="CreatedByUserKey"/>.
        /// </summary>
        public virtual User CreatedBy { get; set; }

        /// <summary>
        /// The navigation property for the package owner user, defined by <see cref="PackageOwnerUserKey"/>.
        /// </summary>
        public virtual User PackageOwner { get; set; }

        /// <summary>
        /// The navigation property for the credentials that were allowed and created by this policy.
        /// </summary>
        public virtual ICollection<Credential> Credentials { get; set; }
    }
}
